License & Trial
Identix ships with a 30-day free trial that unlocks every feature. No license file is required to get started — install, and the trial begins automatically on first boot.
On day 31 an un-licensed instance degrades to the FREE tier. This never blocks authentication or SSO — sign-in keeps working for everyone. Only paid features and higher resource limits are gated, and an admin banner prompts you to activate.
Licensing only affects paid features and resource limits. The broker will not stop issuing tokens or brokering SSO because a trial lapsed or a license is missing — an expired/absent license simply means the FREE tier applies.
The trial banner
Every admin page shows a banner reflecting the current entitlement:
| State | Banner |
|---|---|
| Active trial | "Free trial — N days remaining." Dismissible; emphasized in the last 7 days. |
| Trial ended | "Your free trial has ended. Running on the FREE tier with limited features." |
| Integrity failed | Shown if the trial anchor was tampered with or the system clock moved backwards — the instance is treated as FREE. |
| Licensed | No banner. |
Tiers
| FREE (post-trial) | Trial (days 1–30) / Licensed | |
|---|---|---|
| OIDC sign-in | ✅ | ✅ |
| Audit logs, multi-tenant, advanced branding, SSO integration | ✅ | ✅ |
| SAML relying parties | ❌ | ✅ |
| MFA, advanced analytics, custom workflows, webhooks, API access, premium support | ❌ | ✅ |
| Federated IdPs | up to 3 | per license (trial = unlimited) |
| Domain mappings | up to 10 | per license (trial = unlimited) |
| RP clients | up to 3 | per license (trial = unlimited) |
| API rate limit | 600 req/min | 1200 (trial) / per license |
When a FREE-tier limit is reached, creating another IdP / domain / RP client returns 403 with a message to activate a license. Creating a SAML RP client on FREE is likewise blocked.
Activation
A license is a signed .lic file. Identix verifies its RSASSA-PSS signature against the vendor public
key (LICENSE_PUBLIC_KEY) before honoring it — a forged, tampered, or wrong-key file is rejected
(fail-closed). There are two ways to activate:
Offline (manual upload)
For air-gapped or restricted-egress deployments. Obtain a .lic from your vendor and upload it on the
License page (or POST /admin/api/license/activate). Re-uploading the same file after a reinstall
restores the same entitlement — no reset.
Online (activation server)
When LICENSE_SERVER_ENABLED=true and LICENSE_SERVER_BASE_URL points at the Licenser server, first-run
setup pulls a server-issued signed license (or the server-canonical trial) automatically, and Refresh
re-validates it. The cached signed license keeps working while the server is unreachable (offline grace),
bounded by its own expiry — connectivity loss never blocks the broker.
Tamper resistance
The trial start is anchored and hardened for self-hosted environments:
- Signed anchor — re-verified on every load; a hand-edited record is treated as expired (→ FREE).
- Clock-rollback guard — a monotonic high-water mark; setting the clock back doesn't rewind the trial.
- Multi-location — the anchor is mirrored to the database and an encrypted file, reconciled to the earliest start, so deleting one copy doesn't reset the trial.
Configuration
| Variable | Default | Purpose |
|---|---|---|
LICENSE_PUBLIC_KEY | (empty) | Vendor public key (PEM) used to verify .lic signatures. Empty ⇒ no license can be verified (FREE/trial only). Must be the Licenser's keys/public.pem. |
SECRET_ENCRYPTION_KEY | (required) | Base64 32-byte key. Also keys the trial anchor's signature + encrypted mirror — must be stable and identical across all instances. |
LICENSE_ALLOW_UNSIGNED | false | Dev-only escape hatch to accept unsigned .lic files. The broker refuses to start if this is true under the prod profile. Never enable in production. |
LICENSE_TRIAL_DAYS | 30 | Trial length in days. |
LICENSE_CLOCK_SKEW_HOURS | 48 | Tolerance before a backwards clock trips the rollback guard. |
LICENSE_DATA_DIR | data/license | Where the active .lic and encrypted trial-anchor mirror are stored. |
LICENSE_SERVER_ENABLED | false | Enable online activation against the Licenser server. |
LICENSE_SERVER_BASE_URL | (empty) | Base URL of the Licenser server. |
LICENSE_OFFLINE_GRACE_DAYS | 7 | Days a cached license is honored without a successful online re-validate (warning only — never blocks). |
Admin API
| Endpoint | Purpose |
|---|---|
GET /admin/api/license/info | Current license summary. |
GET /admin/api/license/entitlement | Resolved tier + trial state (drives the banner). |
POST /admin/api/license/activate | Upload and activate a .lic file. |
POST /admin/api/license/deactivate | Remove the active license. |
POST /admin/api/license/setup | First-run setup (email/org + customer ID); triggers online activation when enabled. |
POST /admin/api/license/refresh | Re-validate against the activation server (online only). |
Console view
